Binge On Under the Microscope

With T-Mobile's "Binge On" service, video streams from a large number of partner sites are provided to subscribers at no cost to their data plan (this is called "zero-rating"). Binge On has been highly controversial, due to concerns over network neutrality, user confusion, and technical downsides for users. The resulting debate has led the EFF to call for T-Mobile to abandon Binge On, and generated several responses from T-Mobile’s CEO John Legere. Importantly, there is little rigorous empirical data to inform the implications of zero-rating on network neutrality principles or customer-perceived video-streaming quality.

In this work, we conduct a study of T-Mobile’s zero-rating service to understand its implications for users and content providers in terms of data quota, performance, and video-streaming quality. We focus on T-Mobile and Binge On due to their recent prominence, but we believe that lessons learned from this exercise will readily apply to other carriers using similar technologies.

Key findings

Binge On is implemented solely by rate-limiting specific flows to 1.5 Mbps (consistent with the EFF’s study).

T-Mobile claims that Binge On provides "optimized streaming", but we found no evidence of transcoding or optimization taking place.

We find that with Binge On enabled, non-partner video streams see the same rate-limit, but users are charged for these degraded streams.

T-Mobile claims subscribers will achieve 480p or better. We found no evidence of “better” in our experiments. Instead, we found YouTube streamed at 360p with Binge On enabled, but could stream at 1080p with it disabled.

Binge On does not correctly identify all video traffic, meaning not all video providers receive equal treatment.

Further, this inaccuracy also makes it possible for them to rate-limit traffic that is not video.

Binge On’s implementation is vulnerable to free riding, in which a subscriber can access any content (not just video) at no cost to their data plan. Note that we responsibly disclosed the vulnerability to T-Mobile (in March), and they have stated that free riding is against their terms of service.

Reproducing the free-riding vulnerability

If you are interested in reproducing our free-riding results, please email us, and we can provide you with a simple tool. Note that T-Mobile states that free riding using this vulnerability is against their terms of service, and we do not encourage or condone its use for this purpose.

Approach

Binge On traffic is classified strictly using simple text matching, which suggests that we can exploit Binge On to free-ride on T-Mobile by modifying arbitrary HTTP traffic to masquerade as Binge On-enabled (and thus zero-rated) activity. We built a proxy tool that does this, and confirmed that it allows free-riding.

The following figure illustrates how Binge On can be subverted.

First, a local proxy on the user’s device stores the Host header in an X-Host header, then rewrites the Host header with a Binge On-enabled host (e.g., hbogo.com) and forwards the request to a proxy located outside of T-Mobile’s network.

This causes T-Mobile’s classifier to detect the traffic as BingeOn-enabled and zero-rate it.

Next, the proxy outside of T-Mobile reverts the local proxy’s changes and forwards the request to the final destination.

This material is based upon work supported by the National Science Foundation under Grant No. (CNS-1617728) and by a Google Faculty Research Award. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation or Google.